Privacy Notice
Last Updated: June 1, 2026
NOTICE EFFECTIVE DATE: JUNE 26, 2026
1. INTRODUCTION
Thank you for visiting OKX.com. OKX, as a data controller, provides this Privacy Notice to describe our practices regarding the collection, storage, use, disclosure, and other processing of Personal Data. This includes the legal bases upon which we rely, your rights, safeguards applicable to cross-border data transfers, and how to contact us.
This Notice applies to users, prospective users, website visitors, and any individual whose Personal Data OKX processes in connection with the OKX Platform and Services (the "OKX Platform"). It does not apply where OKX acts as a data processor on behalf of a separate controller, nor does it apply to job applicants or employees (who are covered by a separate employee privacy policy).
This Notice should be read alongside any supplementary notices that apply to you, including the OKX Supplementary Notice on AML/CFT Cross-Border Data Sharing (which applies to multi-entity customers) and the OKX Biometric Data Policy.
By using the OKX Platform, you acknowledge that you have read and understood this Notice. Where your consent is required for specific processing activities, it will be obtained separately and in advance.
2. CONTROLLER AND CONTACT DETAILS
The OKX entity acting as Data Controller depends on your jurisdiction and registration date:
| Relevant OKX entity | Who you are | Relevant Privacy office and DPO Email address |
|---|---|---|
| OKX Bahamas FinTech Company Limited | A user who is a resident of Mexico and who registered between November 16, 2022 and August 28, 2023, or an institutional user who registered on or after August 29, 2023 | privacyoffice@okx.com or reach us by mail at: OKX Bahamas FinTech Company Limited - G.K. Symonette Building, Shirley Street, P.O. Box N-7525, Nassau, The Bahamas |
| OKX Serviços Digitais Ltda. | A user who is a resident of Brazil and who registered on or after June 15, 2023 | privacyoffice@okx.com or reach us by mail at: OKX Serviços Digitais Ltda. - Avenida Brigadeiro Faria Lima, no 4055, 4o andar, sala 113, Itaim Bibi, na cidade e Estado de São Paulo, CEP 04538-133 |
| OKX SG Pte. Ltd. | A user who is a resident of Singapore or Brunei and who registered on or after 13 October 2023 | privacyoffice@okx.com or reach us by mail at: OKX SG Pte. Ltd. - 12 Marina Boulevard #36-01 Marina Bay Financial Centre, Singapore (018982) |
| Aux Cayes FinTech Co. Ltd. | A user who does not fall under any of the above categories | privacyoffice@okx.com or reach us by mail at: Aux Cayes FinTech Co. Ltd. - Suite 202, 2nd Floor, Eden Plaza, Eden Island, Victoria, Mahe, Seychelles |
| OKX Australia Pty Ltd | A user who has entered into a contract with OKX Australia Pty Ltd (ABN 22 636 269 040) | privacyoffice@okx.com or reach us by mail at: OKX Australia Pty Ltd - Level 11, 307 Queen Street, Brisbane QLD 4000 |
| OKX Australia Pty Financial Ltd | A user who has entered into a contract with OKX Australia Financial Pty Ltd (ABN 14 145 724 509) | privacyoffice@okx.com or reach us by mail at: OKX Australia Pty Financial Ltd - Level 29, 66 Goulburn Street, Sydney NSW 2000 |
| OKX INC. | A user who has entered into a contract with OKX INC. | privacyoffice@okx.com or reach us by mail at: One Sansome Street, Suite 3500 PMB 6005, San Francisco, CA 94104. |
| OKX Fintech Sociedad Anónima de Capital Variable | A user who has entered into a contract with OKX Fintech Sociedad Anónima de Capital Variable. | privacyoffice@okx.com or reach us by mail at: OKX Fintech Sociedad Anónima de Capital Variable, Calle El Mirador e/87 y 89 Av. Nte., Col. Escalón, Oficinas SNBX, Distrito de San Salvador y Capital de la República, Municipio de San Salvador Centro, El Salvador. |
| OKX Fintech, SA de CV ( - Argentine Branch) | A user who has entered into a contract with OKX Fintech, SA de CV (Argentine Branch). | privacyoffice@okx.com or reach us by mail at OKX Fintech, SA de CV (Argentine Branch), Maipu 1300, 9th floor, City of Buenos Aires, Argentina. |
Data Protection Officer
OKX has designated a Group Data Protection Officer (DPO) responsible for overseeing data protection compliance across the OKX Group. The DPO may be contacted at:
Email: privacyoffice@okx.com
Ioannis Giannakakis | OKX Europe Limited | Piazzetta Business Plaza, Office Number 4, Floor 2, Triq Ghar il-Lembi, Sliema, SLM 1562, Malta.
Joint Controllership (Multi-Entity Customers)
Where you hold accounts with more than one OKX Group entity simultaneously, each entity is an independent data controller in relation to the personal data it collects for its own regulatory obligations. In specific circumstances, in particular, the cross-border sharing of AML/CFT risk data described in Section 8, two or more OKX Group entities may act as joint controllers.
3. DEFINITION
| Term | Definition |
| Personal Data | Any information relating to an identified or identifiable natural person, including name, ID number, location data, online identifier, or factors specific to the physical, economic, cultural, or social identity of that person. Does not include anonymized data. |
| Sensitive / Special Category Data | Personal Data revealing racial or ethnic origin, political opinions, religious beliefs, trade union membership, genetic data, biometric data (for identification), health data, or data concerning sex life or sexual orientation (GDPR Art. 9). |
| Biometric Data | Personal data resulting from specific technical processing relating to the physical, physiological, or behavioral characteristics of a natural person that allows or confirms their unique identification (GDPR Art. 4(14)). |
| Nonpublic Personal Information (NPI) | Any information a financial institution collects in connection with providing a financial product or service that is not publicly available (GLBA, 15 U.S.C. § 6809(4)). Includes name, address, account details, transaction history, and consumer report data. |
| Profiling | Any form of automated processing of Personal Data to evaluate, analyze, or predict personal aspects, including economic situation, behavior, preferences, or risk profile. |
| Entity-Matching | The process of determining, with a high degree of confidence, whether individuals who have submitted different identity credentials to different OKX Group entities are the same individual, for the purposes of AML/CFT group-wide controls. |
| Customer Risk Rating (CRR) | An internal risk classification assigned to a customer based on KYC, transaction monitoring, PEP/sanctions status, and other due diligence factors. |
4. PERSONAL DATA WE COLLECT
OKX collects Personal Data you provide directly, data collected automatically through your use of our Services, and data received from third parties.
Data You Provide
Identity and contact: full name, email, telephone, date of birth, nationality, residential address, government-issued identification documents.
Institutional (business accounts): corporate legal name, registration number, proof of legal existence, beneficial owner information, business description, source of funds / wealth.
Commercial information: data related to transactions conducted on the OKX Platform.
Financial: bank account details, credit/debit card numbers, source of funds, assets and liabilities.
PEP and sanctions: information about whether you or a close associate holds a prominent public function.
Correspondence: communications with Customer Support, survey responses, chat logs.
Optional profile: avatar, display name, nickname.
Data Collected Automatically
Technical identifiers: IP address, MAC address, device fingerprint, unique device identifiers, operating system, browser type and version.
Usage and behavioral: session data, clickstream, page interaction signals, approximate geolocation derived from IP address.
Application data: information about applications installed on your device where necessary to detect malicious software or device compromise that may affect your account security.
Data Received from Third Parties
Identity verification: from processors Au10tix, Jumio, and Sumsub, including biometric data - see Section 18.
AML / fraud: from sanctions screening, PEP database, and fraud intelligence providers (including Refinitiv World-Check, Dow Jones Risk & Compliance, Moody's).
Payment: from banks and payment processors, including your name, account details, and transaction information.
Referral: from referrers, affiliates, and marketing partners.
AML/CFT Data Shared Within the OKX Group (Multi-Entity Customers)
If you hold accounts with more than one OKX Group entity, authorized Compliance personnel (including Money Laundering Reporting Officers) may share Personal Data about you between entities in specific elevated-risk scenarios described in Section 8. The categories of data that may be shared in this context include identity and verification data, risk and compliance data (CRR, PEP/sanctions status, transaction monitoring alerts), biometric entity-matching data, and device and technical data used as confidence factors.
AI Agent Product
If you authorize a third-party AI agent to access your OKX account, OKX collects access and refresh tokens, device identifiers, IP addresses, authorization event logs, KYC Level 2 status, and for high-risk countries, AUM threshold data, together with risk-triggered liveness data where applicable (see Section 18).
5. LEGAL BASIS FOR PROCESSING - PURPOSE-to-BASIS MAPPING
Processing Purpose | Legal Basis | Data Categories |
Account creation, onboarding, KYC, and provision of Services | Contract performance | Identity, financial, verification, transactional |
AML/CFT compliance, sanctions screening, PEP checks | Legal obligation | Identity, financial, PEP, biometric, transactional |
Intra-group AML/CFT data sharing (multi-entity customers) | Legal obligation; Legitimate interest | CRR, risk indicators, sanctions matches, account status |
Biometric entity-matching across group entities | Substantial public interest | Facial geometry, biometric confidence scores |
Fraud detection and platform security | Legitimate interest | Device data, IP, behavioural signals, transactional |
Regulatory reporting, tax compliance, STR/SAR filing | Legal obligation | Identity, financial, transactional, risk data |
AI-driven risk scoring and automated account decisions | Legal obligation; Legitimate interest | Behavioural, transactional, identity, device data |
Customer support | Contract performance; Legitimate interest | Identity, correspondence, transactional |
Service improvement, analytics, product development | Legitimate interest (business improvement) | Usage, browser/log data, correspondence |
Direct marketing communications | Consent | Name, email, communication preferences |
Non-essential cookies and behavioural tracking | Consent | Device identifiers, browsing behaviour, IP |
Biometric identity verification (onboarding) | Explicit consent | Facial geometry, liveness detection data |
Legal proceedings and defence of claims | Legitimate interest | All relevant categories |
Pre-contractual vendor evaluation | Legitimate interest/ service provider / contractor exception | Pseudonymized subset of identity, transactional, and behavioral data. Biometric data from users is excluded absent explicit written consent |
6. HOW WE USE YOUR PERSONAL DATA
In addition to the purposes mapped in Section 5, OKX uses your Personal Data to:
Administer your account, process transactions, and deliver requested Services;
Comply with applicable legal and regulatory obligations, including AML/CFT, sanctions, and tax reporting;
Detect, investigate, and prevent fraudulent transactions, unauthorized access, and prohibited activities;
Communicate with you about your account, material changes to our Services, and legal or operational notifications;
Improve our platform, develop new products, and conduct internal analytics and research;
Conduct group-wide AML/CFT risk assessment for multi-entity customers (see Section 8);
Send you marketing communications about OKX products and services, with your consent.
7. AUTOMATED DECISION-MAKING, PROFILING, AND ENTITY-MATCHING
OKX uses automated processing and AI-driven systems for the following purposes that may have significant effects on your account. In all cases where automated processing produces a result that may significantly affect your account or relationship with OKX Group, that result is subject to mandatory review by a trained human Compliance or CDD officer before any consequential action is taken.
System / Purpose | Data Inputs / Logic | Potential Effect | Human Review |
KYC Identity Verification | Document analysis, liveness detection, cross-reference against sanctions and fraud databases (Au10tix, Jumio, Sumsub). | Account activation delayed, restricted, or declined. | Mandatory before final decision. |
AML Transaction Risk Scoring | Transaction patterns, counterparty data, source of funds, PEP status, jurisdictional risk, behavioral signals to assign Customer Risk Rating (CRR). | Enhanced due diligence, transaction limits, or suspension of withdrawals. | Mandatory MLRO review for material CRR changes. |
Sanctions Screening | Cross-reference against OFAC SDN, EU Consolidated List, UK HM Treasury, and other designated persons lists. | Account restriction, freeze, or STR/SAR filing. | Mandatory human review of potential matches. |
Fraud Detection | Anomaly detection on account activity, login patterns, device fingerprinting, and behavioural signals. | Temporary account restriction or suspension pending manual review. | Mandatory review before permanent action. |
Biometric Entity -Matching (Multi-Entity) | Facial geometry and biometric confidence scores compared across OKX Group entities using Eagleye or equivalent technology. Results are confidence indicators only. | Elevated group-level risk assessment; possible CRR revision. No account action solely on automated matches. | Mandatory CDD team review of all confidence factors before confirming a match. |
Creditworthiness / Loan Eligibility | Trading history, account balances, and platform behavior to determine eligibility for lending products. | Loan application declined or credit limit set. | Available on request (Art. 22(3)). |
Your Rights Regarding Automated Decisions
Where an automated decision produces a legal or similarly significant effect on you, you have the right to: (a) request human review by a qualified OKX employee; (b) express your point of view and provide additional information; and (c) contest the decision and request reconsideration. Contact privacyoffice@okx.com with subject 'AUTOMATED DECISION REVIEW REQUEST.'
EU AI Act Transparency
Certain AI systems deployed by OKX are classified as high-risk under Annex III of the EU AI Act (Regulation 2024/1689), including systems used for biometric identification and AML/fraud risk scoring. OKX put in place conformity assessments and Fundamental Rights Impact Assessments to meet our compliance obligations.
AI-Driven Risk Check
At authorization, OKX's automated risk check evaluates behavioral signals, IP address, device identifier, and KYC status to determine whether biometric liveness verification is required before a token is issued. If triggered and not passed, authorization is blocked automatically with no real-time human review. To contest a blocked authorization, contact us via the provided email with the subject 'AUTOMATED DECISION REVIEW REQUEST.'
Third-Party AI Agent Autonomous Trade Execution
Where you authorize a third-party AI agent via a delegated authorization flow, that agent may execute trades and access account data on your behalf within the scope of permissions granted. OKX provides the authentication infrastructure only and does not build, operate, or control the third-party AI agent's decision-making. Trading decisions are made autonomously by the third-party provider without real-time human review, and OKX's transaction monitoring systems flag suspicious activity post-execution. You are strongly advised to monitor AI agent activity and revoke access immediately if unexpected trades occur.
Pursuant to EU AI Act Article 50, OKX's authorization interface discloses the identity and role of the third-party AI agent, the scope of permissions granted, and the applicable access revocation mechanism.
8. AML/CFT INTRA-GROUP DATA SHARING (MULTI-ENTITY CUSTOMERS)
The Information-Sharing Framework
Group entities are required to implement group-wide AML/CFT policies and procedures, including procedures for the sharing of information within the group where this is relevant for customer due diligence and transaction monitoring. In accordance with this obligation, authorized OKX Group Compliance personnel (including Money Laundering Reporting Officers (MLROs)) may share Personal Data about you with MLROs in other OKX Group entities where you hold accounts.
This sharing is subject to strict purpose limitation: it may only occur for the purposes of AML/CFT compliance and is limited to authorized Compliance personnel. It does not permit sharing for commercial, marketing, or other non-compliance purposes.
Account Restriction and Cross-Entity Freezing
Where an OKX Group entity is legally required to freeze or restrict your account under applicable sanctions legislation or regulatory direction:
The entity imposing the restriction will notify other OKX Group entities in which you hold accounts of the fact of the restriction and, to the extent legally permissible, its regulatory basis.
Each receiving entity will independently assess whether it is required under its own applicable law to impose a corresponding restriction. This is not an automatic process: each MLRO exercises independent legal judgment.
Sanctions obligations vary significantly between jurisdictions. A match under one jurisdiction's list does not automatically create a legal obligation in another jurisdiction, but will trigger a review.
Legal Basis
Primary basis: Legal obligation (4AMLD Art. 45 group controls; applicable national AML law).
Secondary basis: Legitimate interests in group-wide financial crime prevention.
Biometric entity-matching: Substantial public interest (AML/CFT), supplemented by applicable national law. See Section 21.
9. DISCLOSURE OF PERSONAL DATA TO THIRD PARTIES
OKX may disclose Personal Data to the following categories of recipients, in each case only to the extent necessary for the stated purpose and subject to appropriate contractual data protection obligations:
OKX Group companies: Subsidiaries, holding companies, and affiliated entities within the OKX Group — including for AML/CFT intra-group sharing as described in Section 8.
Identity verification processors: Au10tix, Jumio, and Sumsub — whose respective biometric data policies are linked in Section 18.
AML, fraud, and sanctions service providers: Refinitiv World-Check, Dow Jones Risk & Compliance, Moody's, and equivalent providers.
Biometric entity-matching technology providers: EagleEye or equivalent, acting as data processors under Data Processing Agreements.
Payment processors and banking partners: Entities facilitating fiat transfers, card issuance, and payment processing.
IT, infrastructure, and analytics providers: Cloud hosting, data storage, customer support platforms, and analytics services.
Professional advisors: Legal counsel, auditors, and compliance consultants.
Regulators, FIUs, and law enforcement: Where required by applicable law, court order, or lawful regulatory request, including STR/SAR disclosures to Financial Intelligence Units.
Prospective acquirers: In the context of a merger, acquisition, or sale of all or part of OKX's business, subject to confidentiality obligations.
Prospective Service Providers: Before entering a service agreement, OKX may share a limited, pseudonymized dataset with a prospective provider to evaluate their technical capabilities. Any such sharing is governed by a data protection agreement, restricted to evaluation purposes, and the recipient must delete the data upon completion.
OKX does not sell your Personal Data to third parties for their own commercial use.
All third-party processors are subject to data processing agreements imposing data protection obligations at least equivalent to those in this Notice.
10. INTERNATIONAL DATA TRANSFERS
OKX operates globally and transfers Personal Data to countries other than the country in which it was collected. All international transfers are conducted subject to appropriate safeguards.
Transfers from the EEA
To countries with a European Commission adequacy decision: transfers proceed without additional safeguards.
To all other third countries (including the Seychelles): OKX relies on Standard Contractual Clauses (Module 1, Controller-to-Controller) under EU Commission Implementing Decision 2021/914/EU, supplemented by Transfer Impact Assessments (TIAs) where required.
For urgent, non-systematic transfers pending execution of SCCs (e.g. in AML/CFT escalation scenarios): Art. 49(1)(d) GDPR - transfer necessary for important reasons of substantial public interest (AML/CFT compliance). This derogation is relied upon only in circumstances described in Section 8 and for the minimum period necessary.
Transfers from the United Kingdom
OKX relies on the UK International Data Transfer Agreement (IDTA) or the UK Addendum to EU SCCs for transfers to non-adequate countries.
Transfers from Other Jurisdictions
Malaysia: PDPA 2010 s. 129 contractual arrangements ensuring equivalent protection.
Singapore: PDPA ss. 26-27 contractual arrangements.
Australia: APP 8.1 contractual obligations binding the overseas recipient to the Australian Privacy Principles.
Brazil: LGPD Art. 33, CD/ANPD n. 19/2024 - standard contractual clauses or other approved mechanisms.
The OKX Group operates globally, and your Personal Data may be stored or processed in any country where we are licensed, maintain a presence, or engage service providers, including Vietnam and other jurisdictions where OKX or its service providers operate. All such transfers comply with applicable data protection laws and your Personal Data is protected to the standards in this Notice. Courts, law enforcement, and regulatory authorities in those countries may have lawful access to your Personal Data.
A Transfer Impact Assessment has been conducted in relation to OKX Group transfers to the Seychelles, having regard to the Seychelles Data Protection Act 2023.
11. DATA RETENTION SCHEDULE
OKX stores Personal Data in its own systems and those of its affiliates and third-party storage providers. All storage arrangements are subject to contractual data protection obligations, at least equivalent to those set out in this Notice. Full details of our information security measures are set out in Section 12 (Information Security).
Personal Data may be transferred to, and stored or processed in, countries other than your country of residence, including countries where data protection laws differ from those of your jurisdiction. All such international transfers are conducted subject to lawful transfer mechanisms - including Standard Contractual Clauses (EU SCCs, the UK International Data Transfer Agreement (IDTA) or the UK Addendum to EU SCCs, or other approved safeguards as applicable - as described in full in Section 10 (International Data Transfers).
OKX retains your Personal Data only for as long as necessary for the purpose for which it was collected, or as required by applicable law. Where no statutory period applies, data is held only for as long as the original purpose requires, then securely deleted or irreversibly anonymized. Retention periods may be extended where required by a legal hold, regulatory direction, or pending legal proceedings.
12. INFORMATION SECURITY
OKX implements appropriate technical and organizational measures to protect Personal Data against unauthorized access, accidental loss, alteration, disclosure, or destruction. These measures include:
End-to-end encryption of platform communications using TLS 1.2 or higher;
Mandatory two-factor authentication (2FA) for all account access;
Role-based access controls limiting internal access to Personal Data on a need-to-know basis;
Audit logging of all cross-entity data access and sharing events (required for AML/CFT intra-group sharing);
Regular penetration testing and vulnerability assessments;
Secure disposal of Personal Data upon expiry of the applicable retention period.
If you have any questions about information security or report any security issues, please contact us by sending an email to the following address security@okx.com with the subject “INFORMATION SECURITY REQUEST”.
13. YOUR RIGHTS
Subject to verification of your identity and applicable legal exceptions, you have the following rights. Rights specific to California residents are set out in Section 19. GLBA opt-out rights for US customers are in Section 20. Visit this Portal to exercise your rights.
GDPR / UK GDPR Rights
Right | Description | AML/Tipping-Off Restriction |
Access (Art. 15) | Obtain confirmation of processing and a copy of Personal Data held, including information about the processing. | May be restricted where disclosure would prejudice an AML/CFT investigation or constitute tipping-off (Art. 39 4AMLD). |
Rectification (Art. 16) | Request correction of inaccurate or completion of incomplete data. | Available in full; corrections do not affect independently formed risk assessments. |
Erasure (Art. 17) | Request deletion where processing no longer has a lawful basis. | Cannot apply where retention is required by AML/sanctions legislation (5-year minimum post-relationship retention applies). |
Restriction (Art. 18) | Request suspension of processing in specified circumstances. | May be overridden by legal obligation to continue AML/CFT processing. |
Portability (Art. 20) | Receive data in a structured, machine-readable format; transfer to another controller. | Applies to contractual/consent-based processing only; not to mandatory AML processing. |
Object (Art. 21) | Object to processing based on legitimate interest; absolute right to object to direct marketing. | Right to object does not apply where processing is necessary for legal compliance (AML/CFT). |
Automated Decisions (Art. 22) | Request human review; express view; contest decision. See Section 7. | Risk scoring incorporates mandatory human review. Entity-matching results require CDD team confirmation. |
Withdraw Consent (Art. 7(3)) | Withdraw consent for consent-based processing at any time. See Section 14. | Not applicable to AML/CFT mandatory processing. |
Lodge Complaint (Art. 77) | Lodge a complaint with the competent supervisory authority. See contacts below. | Applies in full; DPO escalation available first. |
Supervisory Authority Contacts
EEA: Competent DPA in your EU Member State of habitual residence or work.
UK: Information Commissioner's Office (ICO) - ico.org.uk | 0303 123 1113
Australia: Office of the Australian Information Commissioner (OAIC) - oaic.gov.au
Malaysia: Personal Data Protection Commissioner (PDPC) - pdp.gov.my | Aras 3, Wisma Sumber Asli, No. 25, Persiaran Perdana, Precinct 4, 62574 Putrajaya, Malaysia
Singapore: Personal Data Protection Commission (PDPC) - pdpc.gov.sg
Brazil: Autoridade Nacional de Proteção de Dados (ANPD) - gov.br/anpd
California: California Privacy Protection Agency (CPPA) - cppa.ca.gov
Seychelles: Data Protection Commissioner (under Data Protection Act 2023)
El Salvador: Instituto de Acceso a la Informacion Publica (IAIP) - iaip.gob.sv
Argentine: Agencia de Acceso a la Informacion Publica (AAIP) - argentina.gob.ar/aaip
14. CONSENT WITHDRAWAL
Where OKX processes your Personal Data on the basis of consent, you may withdraw that consent at any time via:
Email: privacyoffice@okx.com | Subject: 'CONSENT WITHDRAWAL REQUEST'
Withdrawal does not affect the lawfulness of processing carried out prior to withdrawal.
15. COOKIE POLICY
Category | Purpose | Consent | Duration |
Strictly Necessary | Session management, authentication, security, and fraud prevention. Cannot be disabled. | No | Session / 24h |
Performance / Analytics | Platform usage analysis, traffic measurement, and error identification. | Yes — CMP | 12 months |
Functional | Preference retention (language, region, display settings). | Yes — CMP | 12 months |
Targeting / Advertising | Relevant advertising on third-party platforms; marketing campaign measurement. | Yes — explicit | 6 months |
Manage cookie preferences via the Cookie Preference Centre. A full Cookie Notice listing each cookie by name, provider, purpose, and duration is available at the site.
16. CHILDREN’S PERSONAL DATA
OKX does not knowingly offer Services to or collect Personal Data from individuals under the age of 18. If OKX becomes aware of inadvertent collection of a minor's data, it will be promptly deleted. Notify us at privacyoffice@okx.com if you are aware of a minor using our Services.
17. COMMUNICATIONS AND MARKETING
OKX will only send direct marketing communications with your prior consent. Opt out at any time via the unsubscribe link in any marketing communication or by contacting our Customer Support at the Support Center.
Service communications such as account notifications, policy updates, security alerts, and transaction confirmations are sent on the basis of contract performance or legal obligation and cannot be opted out of during an active account.
18. BIOMETRIC DATA
OKX processes biometric data for the following distinct purposes and each supported by different legal basis.
Identity Verification (Onboarding)
Biometric verification during account onboarding is performed by the following third-party processors:
Au10tix: Au10tix Biometric Data Policy | Au10tix Privacy Notice
Jumio: Jumio Privacy Notice
Sumsub: Sumsub Privacy Notice
Legal basis: Explicit consent. Explicit consent is obtained prior to biometric data collection during onboarding.
Biometric Entity-Matching Across Group Entities (Multi-Entity Customers)
For multi-entity customers, OKX Group may process biometric data, specifically, facial geometry and biometric confidence scores derived from selfie photographs and liveness checks submitted during onboarding to determine whether individuals who have submitted different identity credentials to different OKX Group entities are the same individual ('entity-matching').
Legal basis: Processing necessary for reasons of substantial public interest (AML/CFT prevention, detection, and investigation of financial crime), read together with applicable national implementing legislation. Where required by applicable national law, explicit consent or an alternative derogation may additionally be relied upon.
EagleEye Liveness Detection - AI Agent Authorization
Where OKX's Risk check identifies a high-risk AI agent authorization session, EagleEye liveness detection is triggered to confirm the account holder's identity before a token is issued. This is distinct from the AML entity-matching use described above: the legal basis here is explicit consent, the trigger is the Risk check output only, and facial geometry is deleted in-session - only the pass/fail result is retained in the authorization event log.
US State Biometric Laws
Illinois (BIPA, 740 ILCS 14/15): OKX collects biometric identifiers (facial geometry) solely for identity verification. A written policy on collection, retention, and destruction is maintained. Written consent is obtained prior to collection. OKX does not sell, lease, trade, or profit from biometric identifiers.
Texas (CUBI Act, Bus. & Com. Code Ch. 503): Informed consent is obtained prior to collection. OKX does not sell biometric identifiers.
Washington (HB 1493): Biometric identifiers are collected only for the specific purposes described in this section with appropriate consent.
Exercising Rights in Relation to Biometric Data
Submit requests to privacyoffice@okx.com with subject 'BIOMETRIC DATA REQUEST.' Deletion of biometric data prior to KYC completion may affect your ability to access certain Services. Deletion requests in relation to entity-matching data are subject to any applicable AML retention requirements and restrictions.
19. ADDITIONAL RIGHTS FOR CALIFORNIA RESIDENTS (CCPA/CPRA)
This Section applies to California residents and supplements the general rights set out in Section 13. In the event of conflict, this Section governs for California residents.
Categories of Personal Information Collected
Identifiers: Name, email, IP address, account username, government ID number.
Personal records: Financial account information, bank account details.
Protected classification characteristics: Nationality, date of birth.
Commercial information: Transaction history, trading activity, account balances.
Biometric information: Facial geometry for identity verification and entity-matching.
Internet or electronic network activity: Usage data, log information, device identifiers.
Geolocation data: IP-derived approximate location.
Sensitive personal information: Government ID, financial account details, biometric identifiers.
Sale or Sharing of Personal Information
OKX does not sell personal information for monetary consideration. In jurisdictions where applicable law requires prior consent for behavioral advertising, OKX will not conduct such processing absent valid consent. In jurisdictions operating under an opt-out framework, OKX may share personal information for cross-context behavioral advertising; submit opt-out requests via the process in Section 17.
California Consumer Rights
Right to Know (s. 1798.110): Categories and specific pieces of PI collected; sources; business purposes; third-party categories.
Right to Delete (s. 1798.105): Request deletion, subject to applicable exceptions.
Right to Correct (s. 1798.106): Request correction of inaccurate PI.
Right to Opt-Out of Sale/Sharing (ss. 1798.120, 1798.135): Opt out of sale or sharing for cross-context behavioral advertising.
Right to Limit Sensitive PI Use (s. 1798.121): Limit use to CPRA-permitted purposes.
Right to Non-Discrimination (s. 1798.125): No adverse treatment for exercising rights.
Submit Verifiable Consumer Requests: DSAR Portal. Response within 45 days (extendable by 45 days with notice). Free of charge, up to twice per 12 months.
20. GLBA DISCLOSURES FOR US CUSTOMERS (OKX INC.)
OKX INC. is a 'financial institution' under the Gramm-Leach-Bliley Act (GLBA, 15 U.S.C. §§ 6801 et seq.) as an entity significantly engaged in financial activities, including digital asset exchange, custody of crypto assets, and acting as a finder that brings together buyers and sellers of digital assets. The following GLBA-specific disclosures apply to OKX INC.'s US customers.
GLBA Financial Privacy Rule (16 C.F.R. Part 313)
OKX INC. collects the following categories of Nonpublic Personal Information (NPI) about its US customers:
Information you provide: name, address, email, phone number, date of birth, government-issued ID, account credentials, financial account information, tax identification number.
Information from transactions: account balances, transaction history, trading activity, payment instrument details.
Information from third parties: verification data from identity verification services, data from consumer reporting agencies or sanctions screening providers.
Disclosure of NPI
OKX INC. may share your NPI with the following categories of third parties:
Affiliated companies: other OKX Group entities (for AML/CFT group purposes described in Section 8, and for service delivery).
Non-affiliated service providers: payment processors, identity verification processors, analytics providers, legal and compliance advisors where necessary to provide Services and subject to contractual data protection obligations.
Regulatory and law enforcement: where required by federal or state law, including FTC enforcement, FinCEN reporting, and OFAC compliance.
OKX INC. does not share your NPI with non-affiliated third parties for their independent marketing use.
GLBA Opt-Out Rights
Under the GLBA Financial Privacy Rule (16 C.F.R. § 313.7), you have the right to opt out of OKX INC. sharing your NPI with non-affiliated third parties who are not service providers acting on our behalf, to the extent any such sharing is undertaken. To exercise your opt-out right:
Email: privacyoffice@okx.com | Subject: 'GLBA OPT-OUT REQUEST'
OKX INC. will process your opt-out within 30 days of receipt.
GLBA Security and Breach Notification
OKX INC.'s information security obligations under the GLBA Safeguards Rule are operational and will guide our Breach Notification obligations for incidents affecting customers.
21. JURISDICTION-SPECIFIC SUPPLEMENTS
This Privacy Notice is available in multiple languages. In the event of any discrepancy, the English version shall prevail, except where local law requires otherwise.
United Kingdom (UK GDPR and Data Protection Act 2018)
Data Controller: OKX Europe Limited - Section 2.
Legal basis: UK GDPR equivalent provisions apply throughout.
Supervisory authority: Information Commissioner's Office (ICO) - ico.org.uk.
International transfers: UK IDTA and/or UK Addendum to EU SCCs for non-adequate countries.
Malaysia (Personal Data Protection Act 2010, Act 709, as amended 2024)
Data Controller: Aux Cayes FinTech Co. Ltd. (catch-all entity, Section 2).
Applicable law: Personal Data Protection Act 2010 (Act 709), as amended by the Personal Data Protection (Amendment) Act 2023 (effective 1 June 2024). Processing is governed by seven data protection principles: General, Notice and Choice, Disclosure, Security, Retention, Data Integrity, and Access.
Access requests: OKX will respond to access requests from Malaysian residents within 21 days of receipt.
Supervisory authority: Personal Data Protection Commissioner (PDPC) - pdp.gov.my | Aras 3, Wisma Sumber Asli, No. 25, Persiaran Perdana, Precinct 4, 62574 Putrajaya | Tel: +603 8911 8000.
Singapore (PDPA)
Data Controller: OKX SG Pte. Ltd.
This Notice fulfills the notification obligation under PDPA s. 20.
Cross-border transfers: PDPA ss. 26-27; overseas recipients bound to equivalent protection standards.
Access and correction requests: 30-day response (PDPA s. 22).
Australia (Privacy Act 1988 - APPs)
Data Controller: OKX Australia Pty Ltd.
This Notice is OKX Australia's Privacy Policy for APP 1 purposes.
Cross-border disclosure: APP 8.1; reasonable steps taken to ensure overseas recipients comply with APPs.
Complaints: DPO in first instance; then Office of the Australian Information Commissioner (OAIC) - oaic.gov.au.
Brazil (LGPD - Lei 13.709/2018)
Data Controller: OKX Serviços Digitais Ltda.
Encarregado (DPO): Rodrigo Alves Rodrigues - privacyoffice@okx.com (LGPD Art. 41).
Legal bases: contract performance, legal obligation, legitimate interest, and consent (LGPD Art. 7).
International transfers: LGPD Art. 33, Resolution CD/ANPD n. 19/2024 - standard contractual clauses or approved mechanisms.
LGPD Art. 18 rights: confirmation of processing, access, correction, anonymisation/blocking/deletion, portability, sharing information, revocation of consent.
Supervisory authority: ANPD - gov.br/anpd.
Seychelles (Data Protection Act 2023)
Data Controller: Aux Cayes FinTech Co. Ltd.
The Information Commission, Republic of Seychelles.
AML/CFT data sharing: governed by the intra-group SCC framework described in Section 10.
Argentina (Ley de Proteccion de los Datos Personales - Law No. 25.326)
Data Controller: OKX Fintech, SA de CV (Argentine Branch) | Maipu 1300, 9th Floor, Ciudad de Buenos Aires, Argentina.
Applicable law: Ley de Proteccion de los Datos Personales, Law No. 25.326 (2000) and Implementing Decree No. 1558/2001; AAIP Resolution 47/2018 on information security measures. Argentina holds a European Commission adequacy decision (Decision 2003/490/EC), enabling lawful data transfers from the EEA without additional safeguards.
Database registration: OKX is required to register personal data databases with the AAIP pursuant to Law 25.326 Art. 21. Registered databases are listed in the AAIP's National Registry of Databases.
Consent: Collection of personal data requires informed, express consent from the data subject (Art. 5), except where collection is necessary for the performance of a contract, compliance with a legal obligation, or protection of vital interests. Sensitive data (datos sensibles) - including biometric data, health data, political opinions, racial origin, and religious beliefs - requires explicit consent in all cases and may not be collected without it (Art. 7).
Data subject rights under Law 25.326: (i) Right of access (habeas data - Art. 14): data subjects may request, free of charge, a full copy of their personal data held in any database within 30 days of the request; (ii) Right to rectification and updating (Art. 16): data subjects may request correction of inaccurate or outdated data; (iii) Right to deletion (supresion - Art. 17): data subjects may request deletion of personal data that is excessive, irrelevant, outdated, or unlawfully processed, subject to retention obligations; (iv) Right to confidentiality: data subjects may request that data used for commercial advertising purposes be kept confidential (Art. 27); (v) Right to object to processing for direct marketing (Art. 27(3)).
International transfers: Law 25.326 Art. 12 restricts transfers to countries that do not provide an adequate level of protection, unless an exception applies (consent, contractual necessity, or public interest). OKX ensures that any transfer of Argentine residents' personal data to jurisdictions not recognised as adequate is subject to appropriate contractual safeguards.
Security measures: OKX implements the technical and organisational security measures required by AAIP Resolution 47/2018 for controllers handling personal data in Argentina, including measures proportionate to the sensitivity of the data processed.
Sensitive data — biometric: Biometric data constitutes 'datos sensibles' under Law 25.326 Art. 2. OKX will only process biometric data of Argentine residents with explicit consent or where processing is strictly necessary for AML/CFT legal compliance. Biometric data will not be used for any other purpose.
Supervisory authority: Agencia de Acceso a la Informacion Publica (AAIP) - argentina.gob.ar/aaip | Sarmiento 1118, C1041AAX, Ciudad de Buenos Aires | Tel: +54 11 5300-4357. Argentine residents may lodge complaints directly with the AAIP.
El Salvador (Ley de Proteccion de Datos Personales - Legislative Decree No. 1282, 2022)
Data Controller: OKX Fintech Sociedad Anonima de Capital Variable | Calle El Mirador e/87 y 89 Av. Nte., Col. Escalon, San Salvador, El Salvador.
Applicable law: Ley de Proteccion de Datos Personales (LPDP), Legislative Decree No. 1282, published in the Official Gazette on 9 March 2022, entered into force September 2023. The LPDP establishes the general data protection framework in El Salvador and draws substantially from the GDPR model. OKX Fintech S.A. de C.V. is a regulated entity under Salvadoran law and is subject to the LPDP in relation to the personal data of Salvadoran residents.
Definitions: The LPDP adopts definitions broadly aligned with the GDPR, including 'dato personal' (personal data), 'responsable del tratamiento' (data controller), 'encargado del tratamiento' (data processor), and 'titular de los datos' (data subject).
Principles: OKX processes personal data of Salvadoran residents in accordance with the LPDP principles of lawfulness, purpose limitation, data minimisation, accuracy, storage limitation, integrity and confidentiality, and accountability (Art. 5 LPDP).
Legal bases for processing: Processing of personal data requires a lawful basis under Art. 12 LPDP: (i) consent of the data subject; (ii) performance of a contract to which the data subject is party; (iii) compliance with a legal obligation applicable to the controller; (iv) protection of the vital interests of the data subject; (v) performance of a task carried out in the public interest; or (vi) legitimate interests of the controller, provided they do not override the fundamental rights of the data subject.
Sensitive data: The LPDP establishes a heightened protection regime for datos sensibles, including biometric data, health data, sexual orientation, racial or ethnic origin, political opinions, and religious beliefs (Art. 16 LPDP). Processing of sensitive data requires explicit consent or reliance on a narrowly defined statutory exception, including compliance with AML/CFT obligations where expressly required by law.
Data subject rights under the LPDP: (i) Right of access (Art. 24): data subjects may request confirmation of processing and a copy of their personal data; (ii) Right to rectification (Art. 25): data subjects may request correction of inaccurate data without undue delay; (iii) Right to cancellation/deletion (Art. 26): data subjects may request deletion where data is no longer necessary, consent is withdrawn, or processing is unlawful, subject to applicable retention obligations under AML and financial services law; (iv) Right to object (Art. 27): data subjects may object to processing based on legitimate interest; (v) Right not to be subject to solely automated decisions (Art. 30): data subjects have the right to human review of decisions producing significant effects, consistent with the disclosures in Section 7 of this Notice.
International transfers: The LPDP restricts transfers of personal data to third countries that do not ensure an adequate level of protection (Art. 34). OKX relies on contractual safeguards (standard data transfer clauses or equivalent mechanisms recognised under Salvadoran law) for all transfers of Salvadoran residents' data to non-adequate third countries.
Data breach notification: Under the LPDP, OKX is required to notify the IAIP and, where the breach is likely to result in a high risk to data subjects, the affected individuals, without undue delay following discovery of a personal data breach.
Responsible for data protection: OKX Fintech S.A. de C.V. has designated Rodrigo Alves Rodrigues as the responsible contact for data protection matters in El Salvador, accessible via privacyoffice@okx.com.
Supervisory authority: Instituto de Acceso a la Informacion Publica (IAIP) - iaip.gob.sv | 87 Avenida Norte y Calle El Mirador, Colonia Escalon, San Salvador | Tel: +503 2243-4646. Salvadoran residents may lodge complaints with the IAIP if they believe their rights under the LPDP have been infringed.
22. CHANGES TO THIS PRIVACY NOTICE
OKX will notify you of material changes to this Notice by: (a) email notification at least 30 days prior to the change taking effect; and (b) a prominent platform notice for at least 30 days. Non-material changes (typographical errors, updated contact details) may be made without prior notice. The effective date at the top of this Notice will be updated to reflect all revisions. Where a change requires fresh consent, it will be obtained separately before the change takes effect.
23. CONTACT US
If you have any questions about this Privacy Notice or the use of your Personal Data, please contact us with the subject 'PRIVACY REQUEST' via: privacyoffice@okx.com.